Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0909 Moodle security updates 16 March 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: moodle Publisher: moodle Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-20283 CVE-2021-20282 CVE-2021-20281 CVE-2021-20280 CVE-2021-20279 CVE-2020-11023 CVE-2020-11022 Original Bulletin: https://moodle.org/mod/forum/discuss.php?d=419651&parent=1691260 https://moodle.org/mod/forum/discuss.php?d=419650&parent=1691259 https://moodle.org/mod/forum/discuss.php?d=419655&parent=1691274 https://moodle.org/mod/forum/discuss.php?d=419654&parent=1691273 https://moodle.org/mod/forum/discuss.php?d=419653&parent=1691269 https://moodle.org/mod/forum/discuss.php?d=419652&parent=1691268 Comment: This bulletin contains six (6) moodle security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- MSA-21-0007: Stored XSS and blind SSRF possible via feedback answer text Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks. Severity/Risk: Serious Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17 Reported by: Holme and Rekter0 CVE identifier: CVE-2021-20280 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70767 Tracker issue: MDL-70767 Stored XSS and blind SSRF possible via feedback answer text - -------------------------------------------------------------------------------- MSA-21-0006: Stored XSS via ID number user profile field The ID number user profile field required additional sanitizing to prevent a stored XSS risk. Severity/Risk: Serious Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17 Reported by: Magyar-Hunor Tamas Workaround: Disable the ID number field by unchecking it in Site admin > Users > User policies > Show user identity, until the patch has been applied. CVE identifier: CVE-2021-20279 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65552 Tracker issue: MDL-65552 Stored XSS via ID number user profile field - -------------------------------------------------------------------------------- MSA-21-0011: JQuery versions below 3.5.0 contain some potential vulnerabilities (upstream) The JQuery version used by Moodle required upgrading to 3.5.1 to patch some published potential vulnerabilities. Severity/Risk: Minor Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17 Reported by: Mike Henry CVE identifiers: CVE-2020-11022 and CVE-2020-11023 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69680 Tracker issue: MDL-69680 JQuery versions below 3.5.0 contains some potential vulnerabilities - -------------------------------------------------------------------------------- MSA-21-0010: Fetching a user's enrolled courses via web services did not check profile access in each course The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course. Severity/Risk: Minor Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17 Reported by: Paul Holden CVE identifier: CVE-2021-20283 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70822 Tracker issue: MDL-70822 Fetching a user's enrolled courses via web services did not check profile access in each course - -------------------------------------------------------------------------------- MSA-21-0009: Bypass email verification secret when confirming account registration When creating a user account, it was possible to verify the account without having access to the verification email link/secret. Severity/Risk: Minor Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17 Reported by: Bandjes CVE identifier: CVE-2021-20282 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70668 Tracker issue: MDL-70668 Bypass email verification secret when confirming account registration - -------------------------------------------------------------------------------- MSA-21-0008: User full name disclosure within online users block It was possible for some users without permission to view other users' full names to do so via the online users block. Severity/Risk: Minor Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17 Reported by: Ankit Agarwal Workaround: Hide the online users block (via Site administration > Plugins > Blocks > Manage blocks) until the patch has been applied. CVE identifier: CVE-2021-20281 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59293 Tracker issue: MDL-59293 User full name disclosure within online users block - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYE/4l+NLKJtyKPYoAQgUThAAmHfz1D2l0DdKx5BlDJSpecFHrwiUxV3T v6jA3O1OC3MOkw+iIDGYGqX/B53Gl2ZKWFBt5X6fexRn+BpM+i6ElP7zoD4s3oqk AnGVvyTy7Do+koBKRcvfXtC5MDxBekyFiKdeTKSlEgMiuq3ivyANQ03XGb3mNTIz CdvxGc5+Kmv2aJuejTJndolf1UIuVaXVfafjVbSGIudaVgsoK/gXK5MD+4tSDBws 5/swFiIqOOp4brZmX6YHnJTzF9bBZRJsa8szDdYH+yl3tSNyCQ67/0HFrUr9UVkp kyh2qTs9znhSHFxWM0eAzNRzOTYr7uLqtUSz1TXeRa5rqvWe4uvFfYFxYm4Y56pM n6fqAXJkV5Jgi9eBlgCcNQQpKUs0Jefcd2SMCfQCTvdNiSESFnajnrn2tJCYdMlN Xane6cVzM3BN0ta5g0VdLzEBR7zXsB9KOf0d+wbwLu4sNeXbcavMAQuH8GJJ+HtD w07Hy9TuHaYZWa6tF6gdILxkHZ+Czm2JcLwEXEaT+hWcBbc3rT1xZL9HMCtZPESZ 8f5hgcnsDCdcAqmVyCga7WcpiPAEBZ22uLgrzdIY+TydpgCIfweFhPdqy6e7/cSD TlgraBW3f/Yf5JnuKM0KEwHyndWmW4VyHyB+M0c2x9ToEAGYYszczdjtv0kEcuHO BAM4NG1DfvM= =M1eW -----END PGP SIGNATURE-----